<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-CN" />
<link href="../style/css/manual-zip.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-zip-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<title>mod_ldap － Apache 2.2 中文手册 [金步国]</title>
<script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?d286c55b63a3c54a1e43d10d4c203e75"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script>
</head>
<body><div id="page-header">
<p class="menu"><a href="index.html">模块索引</a> | <a href="directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p><p class="apache">Apache HTTP Server 版本2.2</p><img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="index.html"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path"><a href="https://www.apache.org/">Apache</a> &gt; <a href="https://httpd.apache.org/">HTTP Server</a> &gt; <a href="https://httpd.apache.org/docs/">文档</a> &gt; <a href="../index.html">版本2.2</a> &gt; <a href="index.html">模块</a></div>

<div id="translation-info">　　 <a href="../translator_announcement.html#thanks">致谢</a> | 本篇译者：<a href="../../../index.html">金步国</a>(<a href="../../../index.html">作品集</a>) | 本页最后更新：0000年00月00日</div>
<div id="page-content"><div id="preamble"><h1>Apache模块 mod_ldap</h1>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="module">
<tr><th><a href="module-dict.html#Description">说明</a></th><td>为其它LDAP模块提供LDAP连接池和结果缓冲服务</td></tr>
<tr><th><a href="module-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">模块名</a></th><td>ldap_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">源文件</a></th><td>util_ldap.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">兼容性</a></th><td>仅在 Apache 2.0.41 及以后的版本中可用</td></tr>
</table>
<h3>概述</h3>

    <p>本模块通过后端连接LDAP服务来改善网站性能。除了标准LDAP库提供的功能外，本模块增加了一个LDAP连接池和一个LDAP共享内存缓冲区。</p>

    <p>为了使用本模块的功能，LDAP支持必须编译进APU。这是通过在编译Apache时，在<code class="program"><a href="../programs/configure.html">configure</a></code>脚本命令行上增加 <code>--with-ldap</code> 开关来实现的。</p>

    <p>为了支持SSL/TLS ，需要<a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a>连接以下一个LDAP SDK ：<a href="http://www.openldap.org/">OpenLDAP SDK</a>(2.x或更新), <a href="http://developer.novell.com/ndk/cldap.htm">Novell LDAP SDK</a>, <a href="http://www.mozilla.org/directory/csdk.html">Mozilla LDAP SDK</a>, 本地 Solaris LDAP SDK (基于Mozilla), 本地 Microsoft LDAP SDK, <a href="http://www.iplanet.com/downloads/developer/">iPlanet (Netscape)</a> SDK 。参见<a href="http://apr.apache.org">APR</a>网站以获取更多信息。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="exampleconfig" id="exampleconfig">示例配置</a></h2>
    <p>下面的配置是一个使用<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>模块来提升<code class="module"><a href="mod_authnz_ldap.html">mod_authnz_ldap</a></code>提供的HTTP基本认证性能的例子。</p>

    <div class="example"><p><code>
      # 开启LDAP连接池及共享内存缓冲。<br />
      # 开启LDAP缓冲状态处理器。需要载入mod_ldap和mod_authnz_ldap模块。<br />
      # 把"yourdomain.example.com"改为你真实的域名。<br />
      <br />
      LDAPSharedCacheSize 200000<br />
      LDAPCacheEntries 1024<br />
      LDAPCacheTTL 600<br />
      LDAPOpCacheEntries 1024<br />
      LDAPOpCacheTTL 600<br />
      <br />
      &lt;Location /ldap-status&gt;<br />
      <span class="indent">
        SetHandler ldap-status<br />
        Order deny,allow<br />
        Deny from all<br />
        Allow from yourdomain.example.com<br />
        AuthLDAPEnabled on<br />
        AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
        AuthLDAPAuthoritative on<br />
        require valid-user<br />
      </span>
      &lt;/Location&gt;
    </code></p></div>
</div><div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="pool" id="pool">LDAP连接池</a></h2>

    <p>LDAP连接是在请求之间共享的。这就允许LDAP服务器在跳过unbind->connect->rebind这样一个工作周期的情况下，保留连接以减少为下一次请求准备连接的时间。这种性能优化有点象HTTP服务的Keep-Alives功能。</p>

    <p>在一个比较繁忙的服务器上，很有可能许多请求同时尝试与同一个LDAP服务进行连接并得到它的服务。如果一个LDAP连接正在使用，Apache会在原来连接的基础上，生成一个新的连接。这将确保连接池不会成为瓶颈。</p>

    <p>不需要在Apache配置中手动开启连接池功能。任何使用本模块来访问LDAP服务的模块会自动共享连接池。</p>
</div><div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="cache" id="cache">LDAP缓冲</a></h2>

    <p>为了改善性能，<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>模块使用一种积极的缓冲策略以尽量减少与LDAP服务器的联系。通过缓冲，可以方便地使Apache在提供受mod_authnz_ldap保护的页面时，得到二倍或三倍的吞吐量。同时，LDAP服务器的负载也会明显地减小。</p>

    <p><code class="module"><a href="mod_ldap.html">mod_ldap</a></code>支持两种类型的LDAP缓冲。在search/bind阶段，使用一个<em>search/bind缓冲</em>，在compare阶段，使用两个<em>operation缓冲</em>。服务器引用的每个LDAP URL都有一组它自己的上述三个缓冲。</p>

    <h3><a name="search-bind" id="search-bind">Search/Bind缓冲</a></h3>
      <p>处理一个查询和绑定操作对LDAP实施来讲，是非常耗时，尤其当目录很大时，这一点更加明显。Search/bind缓冲用来缓冲所有的最终能成功绑定的查询。失败的结果(比如：不成功的查询或查询结果无法成功绑定)不会被缓冲。这样做是因为信任关系失败的连接在所有连接中只占了很小的一个百分比，因此，通过不缓冲这些连接，可以减少缓冲区的大小。</p>

      <p><code class="module"><a href="mod_ldap.html">mod_ldap</a></code>在缓冲区里储存了用户名、得到的DN 、用来绑定的口令、绑定的时间。当一个新的连接用同一个用户名来初始化的时候，<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>将新的连接的口令与保存在缓冲区里的口令进行比较。如果口令匹配，并且那个缓冲项目尚未失效的话，<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>就跳过search/bind阶段。</p>

      <p>查询与绑定缓冲由<code class="directive"><a href="mod_ldap.html#ldapcacheentries">LDAPCacheEntries</a></code>和<code class="directive"><a href="mod_ldap.html#ldapcachettl">LDAPCacheTTL</a></code>指令来控制。</p>


    <h3><a name="opcaches" id="opcaches">Operation缓冲</a></h3>
      <p>在区分与辨别过程中，<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>使用两个操作缓冲区来缓冲比较的操作。第一个缓冲区用来缓冲是否LDAP组成员的测试结果，第二个用来缓冲不同名字间鉴别的比较结果。</p>

      <p>这两个缓冲区都是由<code class="directive"><a href="mod_ldap.html#ldapopcacheentries">LDAPOpCacheEntries</a></code>和<code class="directive"><a href="mod_ldap.html#ldapopcachettl">LDAPOpCacheTTL</a></code>指令来控制的。</p>


    <h3><a name="monitoring" id="monitoring">缓冲区的监控</a></h3>
      <p><code class="module"><a href="mod_ldap.html">mod_ldap</a></code>包含了一个完整的处理器，通过它可以使管理员监控缓冲区的性能。这个处理器的名字是<code>ldap-status</code> ，因此可以用下列指令来得到<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>缓冲区的相关信息：</p>

      <div class="example"><p><code>
        &lt;Location /server/cache-info&gt;<br />
        <span class="indent">
          SetHandler ldap-status<br />
        </span>
        &lt;/Location&gt;
      </code></p></div>

      <p>通过URL <code>http://servername/cache-info</code> ，管理员可以得到<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>使用的每个缓冲的状态报告。注意，如果Apache不支持共享内存，那么每个<code class="program"><a href="../programs/httpd.html">httpd</a></code>实例都有它自己的缓冲区，因此，每次使用上述URL都可能会得到不同的结果，这取决于具体哪个<code class="program"><a href="../programs/httpd.html">httpd</a></code>实例处理了这个请求。</p>

</div><div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="usingssltls" id="usingssltls">使用SSL/TSL</a></h2>

    <p>通过<code class="directive"><a href="mod_ldap.html#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>, <code class="directive"><a href="mod_ldap.html#ldaptrustedclientcert">LDAPTrustedClientCert</a></code>, <code class="directive"><a href="mod_ldap.html#ldaptrustedmode">LDAPTrustedMode</a></code>指令可以定义与LDAP服务器建立SSL/TSL联接。这些指令指定了使用的CA和可选的客户端证书，以及连接使用的加密类型(none, SSL, TLS/STARTTLS)。</p>

    <div class="example"><p><code>
      # 在636端口建立一个SSL LDAP联接。需要模块mod_ldap和mod_authnz_ldap的支持。<br />
      # 将"yourdomain.example.com"修改为您自己的域名。<br />
      <br />
      LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br />
      <br />
      &lt;Location /ldap-status&gt;<br />
      <span class="indent">
        SetHandler ldap-status<br />
        Order deny,allow<br />
        Deny from all<br />
        Allow from yourdomain.example.com<br />
        AuthLDAPEnabled on<br />
        AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
        AuthLDAPAuthoritative on<br />
        require valid-user<br />
      </span>
      &lt;/Location&gt;
    </code></p></div>

    <div class="example"><p><code>
      # 在389端口建立一个TLS LDAP联接。需要模块mod_ldap和mod_authnz_ldap的支持。<br />
      # 将"yourdomain.example.com"修改为您自己的域名。<br />
      <br />
      LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br />
      <br />
      &lt;Location /ldap-status&gt;<br />
      <span class="indent">
        SetHandler ldap-status<br />
        Order deny,allow<br />
        Deny from all<br />
        Allow from yourdomain.example.com<br />
        AuthLDAPEnabled on<br />
        LDAPTrustedMode TLS
        AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
        AuthLDAPAuthoritative on<br />
        require valid-user<br />
      </span>
      &lt;/Location&gt;
    </code></p></div>

</div><div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="settingcerts" id="settingcerts">SSL/TLS Certificates</a></h2>

    <p>The different LDAP SDKs have widely different methods of setting
    and handling both CA and client side certificates.</p>

    <p>If you intend to use SSL or TLS, read this section CAREFULLY so as to
    understand the differences between configurations on the different LDAP
    toolkits supported.</p>

    <h3><a name="settingcerts-netscape" id="settingcerts-netscape">Netscape/Mozilla/iPlanet SDK</a></h3>
        <p>CA certificates are specified within a file called cert7.db.
        The SDK will not talk to any LDAP server whose certificate was
        not signed by a CA specified in this file. If
        client certificates are required, an optional key3.db file may
        be specified with an optional password. The secmod file can be
        specified if required. These files are in the same format as
        used by the Netscape Communicator or Mozilla web browsers. The easiest
        way to obtain these files is to grab them from your browser
        installation.</p>

        <p>Client certificates are specified per connection using the
        LDAPTrustedClientCert directive by referring
        to the certificate "nickname". An optional password may be
        specified to unlock the certificate's private key.</p>

        <p>The SDK supports SSL only. An attempt to use STARTTLS will cause
        an error when an attempt is made to contact the LDAP server at
        runtime.</p>

        <div class="example"><p><code>
            # Specify a Netscape CA certificate file<br />
            LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db<br />
            # Specify an optional key3.db file for client certificate support<br />
            LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db<br />
            # Specify the secmod file if required<br />
            LDAPTrustedGlobalCert CA_SECMOD /certs/secmod<br />
            &lt;Location /ldap-status&gt;<br />
            <span class="indent">
                SetHandler ldap-status<br />
                Order deny,allow<br />
                Deny from all<br />
                Allow from yourdomain.example.com<br />
                AuthLDAPEnabled on<br />
                LDAPTrustedClientCert CERT_NICKNAME &lt;nickname&gt; [password]<br />
                AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
                AuthLDAPAuthoritative on<br />
                require valid-user<br />
            </span>
            &lt;/Location&gt;
        </code></p></div>



    <h3><a name="settingcerts-novell" id="settingcerts-novell">Novell SDK</a></h3>

        <p>One or more CA certificates must be specified for the Novell
        SDK to work correctly. These certificates can be specified as
        binary DER or Base64 (PEM) encoded files.</p>

        <p>Note: Client certificates are specified globally rather than per
        connection, and so must be specified with the LDAPTrustedGlobalCert
        directive as below. Trying to set client certificates via the
        LDAPTrustedClientCert directive will cause an error to be logged
        when an attempt is made to connect to the LDAP server..</p>

        <p>The SDK supports both SSL and STARTTLS, set using the
        LDAPTrustedMode parameter. If an ldaps:// URL is specified,
        SSL mode is forced, override this directive.</p>

        <div class="example"><p><code>
             # Specify two CA certificate files<br />
             LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br />
             LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br />
             # Specify a client certificate file and key<br />
             LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem<br />
             LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]<br />
             # Do not use this directive, as it will throw an error<br />
             #LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
        </code></p></div>



    <h3><a name="settingcerts-openldap" id="settingcerts-openldap">OpenLDAP SDK</a></h3>

        <p>One or more CA certificates must be specified for the OpenLDAP
        SDK to work correctly. These certificates can be specified as
        binary DER or Base64 (PEM) encoded files.</p>

        <p>Client certificates are specified per connection using the
        LDAPTrustedClientCert directive.</p>

        <p>The documentation for the SDK claims to support both SSL and
        STARTTLS, however STARTTLS does not seem to work on all versions
        of the SDK. The SSL/TLS mode can be set using the
        LDAPTrustedMode parameter. If an ldaps:// URL is specified,
        SSL mode is forced. The OpenLDAP documentation notes that SSL
        (ldaps://) support has been deprecated to be replaced with TLS,
        although the SSL functionality still works.</p>

        <div class="example"><p><code>
             # Specify two CA certificate files<br />
             LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br />
             LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br />
            &lt;Location /ldap-status&gt;<br />
            <span class="indent">
                SetHandler ldap-status<br />
                Order deny,allow<br />
                Deny from all<br />
                Allow from yourdomain.example.com<br />
                AuthLDAPEnabled on<br />
                LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
                LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br />
                AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
                AuthLDAPAuthoritative on<br />
                require valid-user<br />
            </span>
            &lt;/Location&gt;
        </code></p></div>



    <h3><a name="settingcerts-solaris" id="settingcerts-solaris">Solaris SDK</a></h3>

        <p>SSL/TLS for the native Solaris LDAP libraries is not yet
        supported. If required, install and use the OpenLDAP libraries
        instead.</p>



    <h3><a name="settingcerts-microsoft" id="settingcerts-microsoft">Microsoft SDK</a></h3>

        <p>SSL/TLS certificate configuration for the native Microsoft
        LDAP libraries is done inside the system registry, and no
        configuration directives are required.</p>

        <p>Both SSL and TLS are supported by using the ldaps:// URL
        format, or by using the LDAPTrustedMode directive accordingly.</p>

        <p>Note: The status of support for client certificates is not yet known
        for this toolkit.</p>



</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPCacheEntries" id="LDAPCacheEntries">LDAPCacheEntries</a> <a name="ldapcacheentries" id="ldapcacheentries">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>主LDAP缓冲的最大条目数</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPCacheEntries <var>number</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPCacheEntries 1024</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>指定主LDAP缓冲的最大条目数。这个缓冲区包含了成功的search/bind对。把它设为0可以关闭search/bind缓冲。默认值是1024 。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPCacheTTL" id="LDAPCacheTTL">LDAPCacheTTL</a> <a name="ldapcachettl" id="ldapcachettl">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>search/bind缓冲项目有效时限</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPCacheTTL <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPCacheTTL 600</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>指定search/bind缓冲项目有效的时间，以秒为单位。默认为600秒(10分钟)。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPConnectionTimeout" id="LDAPConnectionTimeout">LDAPConnectionTimeout</a> <a name="ldapconnectiontimeout" id="ldapconnectiontimeout">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>指定套接字连接超时秒数</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPConnectionTimeout <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>Specifies the timeout value (in seconds) in which the module will
    attempt to connect to the LDAP server.  If a connection is not
    successful with the timeout period, either an error will be
    returned or the module will attempt to connect to a secondary LDAP
    server if one is specified. The default is 10 seconds.</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>LDAP compare缓冲区的大小</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPOpCacheEntries <var>number</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPOpCacheEntries 1024</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>指定<code class="module"><a href="mod_ldap.html">mod_ldap</a></code>使用的LDAP compare缓冲区大小。默认值是1024条。把它设为0可以关闭操作缓冲。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPOpCacheTTL" id="LDAPOpCacheTTL">LDAPOpCacheTTL</a> <a name="ldapopcachettl" id="ldapopcachettl">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>操作缓冲有效时限</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPOpCacheTTL <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPOpCacheTTL 600</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>指定操作缓冲项目的有效时长，以秒为单位。默认为600秒。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPSharedCacheFile" id="LDAPSharedCacheFile">LDAPSharedCacheFile</a> <a name="ldapsharedcachefile" id="ldapsharedcachefile">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>设置共享内存缓冲区文件</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPSharedCacheFile <var>directory-path/filename</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>设置共享内存缓冲区文件。若未设置，将使用匿名共享内存(若平台支持)。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPSharedCacheSize" id="LDAPSharedCacheSize">LDAPSharedCacheSize</a> <a name="ldapsharedcachesize" id="ldapsharedcachesize">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>共享内存缓冲区的字节大小</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPSharedCacheSize <var>bytes</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPSharedCacheSize 102400</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>指定共享内存缓冲区的大小，以Byte为单位。默认为100KB。</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPTrustedClientCert" id="LDAPTrustedClientCert">LDAPTrustedClientCert</a> <a name="ldaptrustedclientcert" id="ldaptrustedclientcert">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Sets the file containing or nickname referring to a per
connection client certificate. Not all LDAP toolkits support per
connection client certificates.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var> <var>[password]</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>It specifies the directory path, file name or nickname of a
    per connection client certificate used when establishing an SSL
    or TLS connection to an LDAP server. Different locations or
    directories may have their own independant client certificate
    settings. Some LDAP toolkits (notably Novell)
    do not support per connection client certificates, and will throw an
    error on LDAP server connection if you try to use this directive
    (Use the LDAPTrustedGlobalCert directive instead for Novell client
    certificates - See the SSL/TLS certificate guide above for details).
    The type specifies the kind of certificate parameter being
    set, depending on the LDAP toolkit being used. Supported types are:</p>
    <ul>
      <li>CERT_DER - binary DER encoded client certificate</li>
      <li>CERT_BASE64 - PEM encoded client certificate</li>
      <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li>
      <li>KEY_DER - binary DER encoded private key</li>
      <li>KEY_BASE64 - PEM encoded private key</li>
    </ul>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPTrustedGlobalCert" id="LDAPTrustedGlobalCert">LDAPTrustedGlobalCert</a> <a name="ldaptrustedglobalcert" id="ldaptrustedglobalcert">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Sets the file or database containing global trusted
Certificate Authority or global client certificates</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPTrustedGlobalCert <var>type</var> <var>directory-path/filename</var> <var>[password]</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>It specifies the directory path and file name of the trusted CA
    certificates and/or system wide client certificates <code class="module"><a href="mod_ldap.html">mod_ldap</a></code>
    should use when establishing an SSL or TLS connection to an LDAP
    server. Note that all certificate information specified using this directive
    is applied globally to the entire server installation. Some LDAP toolkits
    (notably Novell) require all client certificates to be set globally using
    this directive. Most other toolkits require clients certificates to be set
    per Directory or per Location using LDAPTrustedClientCert. If you get this
    wrong, an error may be logged when an attempt is made to contact the LDAP
    server, or the connection may silently fail (See the SSL/TLS certificate
    guide above for details).
    The type specifies the kind of certificate parameter being
    set, depending on the LDAP toolkit being used. Supported types are:</p>
    <ul>
      <li>CA_DER - binary DER encoded CA certificate</li>
      <li>CA_BASE64 - PEM encoded CA certificate</li>
      <li>CA_CERT7_DB - Netscape cert7.db CA certificate database file</li>
      <li>CA_SECMOD - Netscape secmod database file</li>
      <li>CERT_DER - binary DER encoded client certificate</li>
      <li>CERT_BASE64 - PEM encoded client certificate</li>
      <li>CERT_KEY3_DB - Netscape key3.db client certificate database file</li>
      <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li>
      <li>CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)</li>
      <li>KEY_DER - binary DER encoded private key</li>
      <li>KEY_BASE64 - PEM encoded private key</li>
      <li>KEY_PFX - PKCS#12 encoded private key (Novell SDK)</li>
    </ul>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPTrustedMode" id="LDAPTrustedMode">LDAPTrustedMode</a> <a name="ldaptrustedmode" id="ldaptrustedmode">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Specifies the SSL/TLS mode to be used when connecting to an LDAP server.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPTrustedMode <var>type</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>The following modes are supported:</p>
    <ul>
      <li>NONE - no encryption</li>
      <li>SSL - ldaps:// encryption on default port 636</li>
      <li>TLS - STARTTLS encryption on default port 389</li>
    </ul>

    <p>Not all LDAP toolkits support all the above modes. An error message
    will be logged at runtime if a mode is not supported, and the
    connection to the LDAP server will fail.
    </p>

    <p>If an ldaps:// URL is specified, the mode becomes SSL and the setting
    of LDAPTrustedMode is ignored.</p>

</div>
<div class="top"><a href="mod_ldap.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPVerifyServerCert" id="LDAPVerifyServerCert">LDAPVerifyServerCert</a> <a name="ldapverifyservercert" id="ldapverifyservercert">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Force server certificate verification</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPVerifyServerCert <var>On|Off</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPVerifyServerCert On</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
    <p>Specifies whether to force the verification of a
     server certificate when establishing an SSL connection to the
     LDAP server.</p>

</div>
</div>
<div id="footer">
<p class="apache">本文允许自由的转载、引用、再分发，但必须保留译者署名并注明出处；详见：<a href="../translator_announcement.html#announcement">版权声明</a>。</p>
<p class="menu"><a href="index.html">模块索引</a> | <a href="directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p></div>
</body></html>
